b'                                                          U.S. OFFICE OF PERSONNEL MANAGEMENT\n                                                                OFFICE OF THE INSPECTOR GENERAL\n                                                                                 OFFICE OF AUDITS\n\n\n\n\n                                      Final Audit Report\n\n\nSubject:\n\n\n\n   AUDIT OF THE INFORMATION TECHNOLOGY\n\n          SECURITY CONTROLS OF THE\n\n   U.S. OFFICE OF PERSONNEL MANAGEMENT\'S\n\n              BENEFITS FINANCIAL\n\n             MANAGEMENT SYSTEM\n\n                     FY 2010\n\n                                               Report No. 4A-CF-OO-IO-018\n\n\n                                               Date:                  September 10, 2010\n\n\n\n\n                                                               -\xc2\xb7CAUTION-\xc2\xb7\n\nThi.\' audit report has bt\'ell l1htributcd to F{\'l1cral officials whQ IH\'e- Rsponsiblc for lhe :ldmilli.\'lralion of th(\' andiu:d pl\'ognllll. This audit\n\nrl"pori may contain propri{\'ta~\' lIata wbich i~ prol(\xc2\xb7(tl."d by Fcdtor""II:lw (ISll,S.C. 1905). Thul\'fort.\'. while Ihi\\ audit report h a\\\'ailablc\xc2\xad\n\nunder Ihe Frc-edom oflnformulioll . \\et and made \\\\\\\'ailabll\' to the public onlhc OIG webpflgt". cautioll tH:\'eds to be (\'xCI"cistd beron..\n\nrt.\'[("l.~ing Ihl\' repnrllO the l?:eneral public as if may contain propril\'hHy information thaI was redacted from Ihl\' publicl~\' dL~lributl\'d copy.\n\n\x0c                         UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n\n                                           Washington. DC 20415\n\n\n\n  Office of lhe\nInspector General\n\n                                           Audit Report\n\n\n                            U.S. OFFICE OF PERSONNEL MANAGEMENT\n\n                       AUDIT OF THE INFORMAnON TECHNOLOGY SECURITY\n\n                    CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\'S\n\n                           BENEFITS FINANCIAL MANGE ME NT SYSTEM\n\n                                             FY 20IO\n\n\n                                          WASHINGTON, D.C.\n\n\n\n             .l!:========================d\n\n\n                                  Report No. 4A-CF-OO-IO-OI8\n\n\n                                  Date:          September 10, 2010\n\n\n\n\n                                                              ZJ2e~Michael R. Esser\n                                                                   Assistant Inspector General\n                                                                     for Audits\n\n\n\n\n       WWW.OPI1\\.~OV                                                                   WWW.US;:ljobS\xc2\xb7GOV\n\x0c                          UNITED STATES OFFICE OF PERSONNEL MANAGEMENT\n\n                                                 Washington, DC 20415\n\n\n\n  Office of the\nInspector General\n\n                                               Executive Summary\n\n                                   U.S. OFFICE OF PERSONNEL MANAGEMENT\n\n\n                         AUDIT OF THE INFORMATION TECHNOLOGY SECURITY\n\n                      CONTROLS OF THE U.S. OFFICE OF PERSONNEL MANAGEMENT\'S\n\n                            BENEFITS FINANCIAL MANAGEMENT SYSTEM\n\n                                               FY2010\n\n\n                                                    WASHINGTON, D.C.\n\n\n\n\n                                           Report No. 4A-CF-OO-IO-018\n\n\n                                            Date:         September 10, 2010\n\n             This [mal audit report discusses the results of our review of the infonnation technology security\n             controls of the U.S. Office of Personnel Management\'s (OPM) Benefits Financial Management\n             System (BFMS). Our conclusions are detailed in the "Results" section of this report.\n\n             BFMS is one ofOPM\'s 43 critical IT systems and is comprised of multiple applications that\n             provide management Illld accounting support to OPM programs. Although all of the applications\n             that comprise BFMS are housed on OPM\'s mainframe environment, it became apparent during\n             this audit that the Office of the Chief Financial Officer (OCFO) does not have a clear\n             understanding of which specific applications are actually a part of the BFMS mnbrella of\n             systems. Several iterations of the BFMS inventory were presented to Office of the Inspector\n             General (OIG) auditors throughout the audit, and the versions differed with both the addition and\n             subtraction of applications from the inventory.\n\n             The fact that the specific applications that are part of BFMS have not been clearly defined has\n             limited the OCFO\'s ability to adequately manage several security-related elements required by\n             FISMA. Specifically, the BFMS independent security control test, the internal self assessment of\n             security controls, and the system\'s contingency plan could not have had accurately defined\n             scopes. We consider this issue to be a significant deficiency in the BFMS control structure.\n\n\n\n\n        www.opm.goy                                                                            www.usajobs.goy\n\x0cIn addition to the concerns related to the BFMS application inventory, the OIG documented the\nfollowing opportunities for improvement:\n   \xe2\x80\xa2\t The information system security plan for BFMS does not contain several critical elements\n      required by National Institute of Standards and Technology (NIST) Special Publication\n      800-18.\n   \xe2\x80\xa2\t The security controls classified as common, application specific, or hybrid during the\n      independent security test and evaluation were not consistent with the control\n      classification done by the OCFO during the security control self-assessment.\n   \xe2\x80\xa2\t The BFMS self-assessment indicated that there were zero security weaknesses in the\n      system. However, an OIG review of the same security controls indicated that weaknesses\n      do exist.\n   \xe2\x80\xa2\t A contingency plan has been developed for BFMS. However, several areas of the\n\n      contingency plan could be improved.\n\n   \xe2\x80\xa2\t The BFMS Privacy Impact Assessment (PIA) was conducted in accordance with the\n      requirements ofOPM\'s PIA Guide. However, OPM\'s PIA guide is missing several\n      elements required by the Office of Management and Budget (OMB). Consequently, the\n      BFMS PIA is missing these elements as well. Additionally, there is no evidence that the\n      BFMS PIA has been reviewed by the system owner on an annual basis as required by\n      OMB.\n   \xe2\x80\xa2\t OIG independently tested 25 of the NIST 800-53 controls for BFMS and found that 6 of\n      these security controls were not in place during the fieldwork phase of the audit.\n\nIn addition, the OIG reviewed several elements ofthe BFMS security program that appear to be\nin full FlSMA compliance:\n   \xe2\x80\xa2\t A security certification and accreditation (C&A) ofBFMS was completed in August\n      2007 and another C&A is due for completion by August 2010.\n   \xe2\x80\xa2\t The OIG agrees with the security categorization of moderate for BFMS.\n   \xe2\x80\xa2\t A risk assessment was conducted for BFMS in 2007 that addresses all the required\n      elements outlined in relevant NIST guidance.\n   \xe2\x80\xa2\t The BFMS Plan of Action and Milestones (POA&M) follows the format of the OPM\n      POA&M guide, and has been routinely submitted to the Office of the Chief Information\n      Officer for evaluation.\n\n\n\n\n                                               11\n\x0c                                          Contents\n\n\nExecutive Summary                                                                               i\n\nIntroduction                                                                                    1\n\nBackground                                                                                     1\n\nObjectives                                                                                      1\n\nScope and Methodology                                                                          2\n\nCompliance with Laws and Regulations                                                          .3\n\nResults                                                                                       .4\n\n      I. Applications Included in the Benefit Financial Management System (BFMS)              .4\n\n     II. Certification and Accreditation Statement.                                            5\n\n    III. FIPS 199 Analysis                                                                    .5\n\n    IV. Information System Security Plan                                                       5\n\n     V. Risk Assessment                                                                        6\n\n    VI. Independent Security Control Testing                                                   7\n\n   VII. Security Control Self-Assessment                                                       8\n\n  VIII. Contingency Planning and Contingency Plan Testing                                      8\n\n    IX. Privacy Impact Assessment                                                             10\n\n    X. Plan of Action and Milestones Process                                                  I I\n\n    XI. NIST SP 800-53 Evaluation                                                             11\n\nMajor Contributors to this Report                                                             15\n\nAppendix: Office of the Chief Financial Officer\'s June 15,2010 response to the OIG\'s draft audit\nreport, issued May 4, 2010.\n\x0c                                        Introduction\n\nOn December 17,2002, President Bush signed into law the E-Governrnent Act (P.L. 107-347),\nwhich includes Title III, the Federal Information Security Management Act (FISMA). It requires\n(1) annual agency program reviews, (2) annual Inspector General (lG) evaluations, (3) agency\nreporting to the Office of Management and Budget (OMB) the results of IG evaluations for\nunclassified systems, and (4) an annual OMB report to Congress\xc2\xb7sumrnarizing the material\nreceived from agencies. In accordance with FISMA, we evaluated the information technology\n(IT) security controls related to the Office of Personnel Management\'s (OPM) Benefits Financial\nManagement System (BFMS).\n\n                                         Background\nBFMS is one ofOPM\'s 43 critical IT systems. As such, FISMA requires that the Office of the\nInspector General (OIG) perform an audit ofIT security controls of this system, as well as all of\nthe agency\'s systems on a rotating basis.\n\nThe Office of the Chief Financial Officer (OCFO) has been designated with ownership of\nBFMS. The BFMS system provides the management and accounting support for the Civil\nService Retirement Disability Fund, the Federal Employees\' Group Life Insurance program, and\nthe Federal Employees Health Benefits Program. BFMS is comprised of a set of individual\napplications that reside in OPM\'s mainframe environment. The mainframe infrastructure is\nsupported by the agency\'s Data Center Group within the Office of the Chief Information Officer\n(OCIO).\n\nThis was our second audit of the security controls surrounding BFMS. The [mdings from the\nfirst BFMS audit report, issued in 2004, were closed prior to the start of this audit. We discussed\nthe results of our audit with OCFO representatives at an exit conference and in a draft audit\nreport.\n\n                                          Objectives\nOur overall objective was to perform an evaluation of security controls for BFMS to ensure that\nOCFO officials have implemented IT security policies and procedures in accordance with\nstandards established by OPM\'s OCIO. These policies and procedures are designed to assist\nprogram office officials in developing and documenting IT security\xc2\xb7practices that are in\nsubstantial compliance with FISMA, as well as OMB regulations and the National Institute of\nStandards and Technology (NIST) guidance.\n\nOPM\'s IT security policies and procedures require managers of all major and sensitive systems\nto complete a series of steps to (I) certify that their system\'s information is adequately protected\nand (2) authorize the system for operations. The overall audit objective was accomplished by\nreviewing the degree to which a variety of security program elements have been implemented for\nBFMS, including:\n\n\n\n\n                                                 I\n\n\x0c\xe2\x80\xa2\t   Certification and Accreditation Statement; .\n\xe2\x80\xa2\t   Federal Information Processing Standard 199 Analysis;\n\xe2\x80\xa2\t   Information System Security Plan;\n\xe2\x80\xa2\t   Risk Assessment;\n\xe2\x80\xa2\t   Independent Security Control Testing;\n\xe2\x80\xa2\t   Security Control Self-Assessment;\n\xe2\x80\xa2\t   Contingency Planning and Contingency Plan Testing;\n\xe2\x80\xa2\t   Privacy Impact Assessment;\n\xe2\x80\xa2\t   Plan of Action and Milestones Process; and\n\xe2\x80\xa2\t   NIST Special Publication (SP) 800-53 Security Controls.\n\n                                Scope and Methodology\nThis performance audit was conducted in accordance with Government Auditing Standards,\nissued by the Comptroller General of the United States. Accordingly, the audit included an\nevaluation of related policies and procedures, compliance tests, and other auditing procedures\nthat we considered necessary. The audit covered FISMA compliance efforts of OCFO and\nOCIO officials responsible for BFMS, including IT security controls in place as of April 2010.\n\nWe considered the BFMS internal control structure in planning our audit procedures. These\nprocedures were mainly substantive in nature, although we did gain an understanding of\nmanagement procedures and controls to the extent necessary to achieve our audit objectives.\n\nTo accomplish our objective, we interviewed representatives ofOPM\'s OCFO and other\nprogram officials with BFMS security responsibilities. We reviewed relevant OPM IT policies\nand procedures, federal laws, OMB policies and guidance, and NIST guidance. As appropriate,\nwe conducted compliance tests to determine the extent to which established controls and\nprocedures are functioning as required.\n\nDetails of the security controls protecting the confidentiality, integrity, and availability of BFMS\nare located in the "Results" section of this report. Since our audit would not necessarily disclose\nall significant matters in the internal control structure, we do not express an opinion on the\nBFMS system of internal controls taken as a whole.\n\nThe criteria used in conducting this audit include:\n\n\xe2\x80\xa2\t OPM IT Security Policy;\n\xe2\x80\xa2\t OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources;\n\xe2\x80\xa2\t E-Government Act of 2002 (p.L. 107-347), Title III, Federal Information Security\n   Management Act of2002;\n\xe2\x80\xa2\t NIST SP 800-12, An Introduction to Computer Security;\n\xe2\x80\xa2\t NIST SP 800-18 Revision I, Guide for Developing Security Plans for Federal Information\n   Systems;\n\xe2\x80\xa2\t NIST SP 800-30, Risk Management Guide for Information Technology Systems;\n\xe2\x80\xa2\t NIST SP 800-34, Contingency Planning Guide for Information Technology Systems;\n\n\n                                                 2\n\n\x0c\xe2\x80\xa2\t NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\n   Infonnation Systems;\n\xe2\x80\xa2\t NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Infonnation\n   Systems;\n\xe2\x80\xa2\t NIST SP 800-60 Volume II, Guide for Mapping Types ofInfonnation and Infonnation\n   Systems to Security Categories;\n\xe2\x80\xa2\t Federal Infonnation Processing Standard Publication 199, Standards for Security\n   Categorization of Federal Infonnation and Infonnation Systems; and\n\xe2\x80\xa2\t Other criteria as appropriate.\n\nIn conducting the audit, we relied to varying degrees on computer-generated data. Due to time\nconstraints, we did not verify the reliability of the data generated by the various infonnation\nsystems involved. However, nothing came to our attention during our audit testing utilizing the\ncomputer-generated data to cause us to doubt its reliability. We believe that the data was\nsufficient to achieve the audit objectives. Except as noted above, the audit was conducted in\naccordance with generally accepted government auditing standards issued by the Comptroller\nGeneral of the United States.\n\nThe audit was perfonned by the OPM Office of the Inspector General, as established by the\nInspector General Act of 1978, as amended. The audit was conducted from December 2009\nthrough April 2010 in OPM\'s Washington, D.C. office.\n\n                    Compliance with Laws and Regulations\nIn conducting the audit, we perfonned tests to detennine whether the OCFO\'s management of\nBFMS is consistent with applicable standards. Nothing came to the OIG\'s attention during this\nreview to indicate that the OCFO is in violation of relevant laws and regulations.\n\n\n\n\n                                               3\n\n\x0c                                            Results\n\n\nI. Applications Included in the Benefit Financial Management System (BFMS)\n\n  BFMS is comprised of multiple applications that provide management and accounting support\n  to OPM\'s Civil Service Retirement and Disability Fund, the Federal Employees\' Group Life\n  Insurance Program, and the Federal Employees Health Benefits Program. All BFMS\n  applications reside within OPM\'s mainframe environment, and inherit many security controls\n  from this infrastructure. However, throughout the fieldwork phase of this audit, it became\n  apparent to OIG auditors that the OCFO does not have a clear understanding of which specific\n  applications are actually a part of the BFMS umbrella of systems.\n\n   The 2007 and 2009 versions of the BFMS contingency plan and information system security\n   plan (ISSP) each contain lists of applications that are part of BFMS. Although there were no\n  .major system changes during this time frame, the lists of applications vary significantly. The\n   discrepancies in the BFMS inventory can be attributed to the removal of several systems that\n   were actually owned by other OPM program offices or another federal agency, and the addition\n                                a\n   of an existing system that has different user interface from the other applications, but shares\n   the same back-end infrastructure.\n\n  In January 2010, the OCFO provided the OIG with an updated list of applications that differs\n  from the 2009 documentation with the inclusion of two additional systems. The OCFO\n  provided a subsequent update in March 20 lOin which two systems were subtracted from the\n  inventory (not the same two that were added in January 2010). The OCFO stated that the\n  BFMS application inventory continues to be a work in progress.\n\n  The fact that the specific applications that are part of BFMS have not been clearly defmed has\n  limited the OCFO\'s ability to adequately manage several security-related elements required by\n  FISMA. Specifically, the BFMS independent security control test, the internal self assessment\n  of security controls, and the system\'s contingency plan could not have had accurately defmed\n  scopes, resulting in several applications not being properly tested. We consider this issue to be\n  a significant deficiency in the BFMS control structure.\n\n  Recommendation 1\n  We recommend that the OCFO develop a clearly defined list of applications that are part of\n  BFMS.\n\n  OCFO Response:\n  "CFO agrees with the recommendation and will provide a clearly defined list ofapplications\n  related to BFMS by July 31, 2010."\n\n  Recommendation 2\n  We recommend that the OCIO review all applications dropped from the BFMS umbrella of\n  systems and appropriately add them to OPM\'s system inventory.\n\n\n                                                 4\n\x0c     OCFO Response:\n    "CFO agrees with the recommendation and will review an applications in conjunction with\n    the C/O that do not belong to BFMS umbrella ofsystems by July 31,2010."\n\nII. Certification and Accreditation Statement\n\n    A security certification and accreditation (C&A)\'OfBFMS was completed in August 2007.\n\n    NIST SP 800-37 "Guide for the Security Certification and Accreditation of Federal\n    Information Systems," provides guidance to federal agencies in meeting security accreditation\n    requirements. The BFMS C&A appears to have been conducted in compliance with NIST\n    guidance.\n\n    OPM\'s Information Technology Security Officer reviewed the BFMS C&A package and\n    signed the system\'s certification package on August 10, 2007. OPM\'s Chief Financial Officer\n    signed the accreditation statement and authorized the continued operation of the system on\n    August 17,2007.\n\n    BFMS is due for a new C&A in August 2010; we will evaluate the new C&A as part of the\n    FYIO FISMA audit.\n\nIII. FIPS 199 Analysis\n\n    Federal Information Processing Standard (FIPS) Publication 199, Standards for Security\n    Categorization of Federal Information and Information Systems, requires federal agencies to\n    categorize all federal information and information systems in order to provide appropriate\n    levels of information security according to a range of risk levels.\n\n    NIST SP 800-60 Volume II, Appendixes to Guide for Mapping Types of Information and\n    Information Systems to Security Categories, provides an overview of the security objectives\n    and impact levels identified in FIPS Publication 199.\n\n    The BFMS information system security plan (ISSP) categorizes information processed by the\n    system and its corresponding potential impacts on confidentiality, integrity, and availability.\n    BFMS is categorized with a moderate impact level for confidentiality, moderate for integrity,\n    low for availability, and an overall categorization of moderate.\n\n    The security categorization of BFMS appears to be consistent with the guidance of FIPS 199\n    and NIST SP 800-60.\n\nIV. Information System Security Plan\n\n    Federal agencies must implement the information system security controls outlined in NIST SP\n    800-53 Revision 2, Recommended Security Controls for Federal Information Systems. NIST\n\n\n                                                  5\n\n\x0c   SP 800-18 Revision I, Guide for Developing Security Plans for Federal Information Systems,\n   requires that these controls be documented in an information systems security plan (ISSP) for\n   each system, and provides guidance for doing so.\n\n   The ISSP for BFMS was created using the template outlined in NIST SP 800-18. The template\n   requires that the following elements be documented within the ISSP:\n\n   \xe2\x80\xa2   System Name and Identifier;\n   \xe2\x80\xa2   System Categorization;\n   \xe2\x80\xa2   System Owner;\n   \xe2\x80\xa2   Authorizing Official;\n   \xe2\x80\xa2   Assignment of Security Responsibility;\n   \xe2\x80\xa2   System Operational Status;\n   \xe2\x80\xa2   Information System Type;\n   \xe2\x80\xa2   General DescriptionIPurpose;\n   \xe2\x80\xa2   System Environment;\n   \xe2\x80\xa2   System Interconnection/Information Sharing; and\n   \xe2\x80\xa2   Laws, Regulations, and Policies Affecting the System.\n\n   The BFMS ISSP contains the majority of the elements outlined by NIST. Although the ISSP\n   lists systems that are interconnected with BFMS, it does not contain several critical details of\n   these connections as required by the NIST guide. Specifically, the BFMS ISSP does not detail\n   the FIPS 199 category, C&A status, or authorizing official of the interconnected systems.\n\n   Recommendation 3\n   We recommend that the system interconnection section of the BFMS ISSP be revised to\n   include important identifiers of the interconnected systems (FIPS 199 categorization, C&A\n   status, and the authorizing official).\n\n   OCFO Response:\n   "CFO agrees with the recommendation and will work with the CIO in conjunction to\n   determine identifiers ofthe interconnected systems by August 6,2010."\n\nV. Risk Assessment\n\n   A riskmanagement methodology focused on protecting core business operations and processes\n   is a key component of an efficient IT security program. A risk assessment is used as a tool to\n   identify security threats, vulnerabilities, potential impacts, and probability of occurrence. In\n   addition, a risk assessment is used to evaluate the effectiveness of security policies and\n   recommend countermeasures to ensure adequate protection of information technology\n   resources.\n\n   NIST SP 800-30, Risk Management Guide for Information Technology Systems, offers a nine\n   step systematic approach to conducting a risk assessment that includes: (l) system\n   characterization; (2) threat identification; (3) vulnerability identification; (4) control analysis;\n\n\n\n                                                    6\n\n\x0c    (5) likelihood detennination; (6) impact analysis; (7) risk detennination; (8) control\n\n    recommendation; and (9) results documentation.\n\n\n    A risk assessment was conducted for BFMS in 2007 that addresses all of the elements outlined\n    in the NIST guidance.\n\nVI. Independent Security Control Testing\n\n    A security test and evaluation (ST&E) was completed for BFMS as a part of the system\'s C&A\n    process in July 2007. The ST&E was conducted by an OPM contractor who was operating\n    independently from BFMS. The OIG reviewed the controls tested to ensure that they included\n    a review of the appropriate management, operational, and technical controls required for a\n    system with a "moderate" security categorization according to NIST SP 800-53 Revision 2,\n    Recommended Security Controls for Federal Information Systems.\n\n    The ST&E labeled each security control as common (inherited from OPM\'s IT infrastructure),\n    application specific, or hybrid. The application specific and hybrid controls were tested as part\n    ofthis ST&E, whereas the testing of common controls is the responsibility of OPM\'s OCIO.\n    However, the controls identified as common controls in the ST&E were not consistent with the\n    common controls identified in the BFMS self-assessment of security controls conducted by the\n    OCFO. OPM\'s OCIO has not published a list of common controls for which they maintain\n    responsibility, therefore the OCFO was required to make an assumption as to which controls\n    are inherited from the OPM infrastructure. In addition, as mentioned in section I, the OCFO\n    does not have a clearly defined list of the sub-applications that are part of BFMS.\n\n    Without clearly defined lists of common, hybrid, and application specific controls, or a clear\n    understanding of the sub-applications that are part ofBFMS, the BFMS ST&E could not have\n    had an adequately defined scope. As a result, certain BFMS applications were not subject to\n    proper independent security control testing.\n\n    Recommendation 4\n    We recommend that the OCFO and the OCIO determine whether each NIST SP 800-53\n    security control applicable to BFMS is common, application specific, or hybrid.\n\n    OCFO Response:\n    "CFO agrees with the reconinrendation. The CIO Information Technology Security OffICer (ITSO)\n    will determine the agency wide common security controls. The CFO will determine whether the\n    security controls are BFMS application speCifIC or hybrid by August 17, 2010."\n\n    Recommendation 5\n    Once the categorization of each security control is defined and the specific applications that are\n    part of BFMS are determined, a new ST&E should be conducted for BFMS.\n\n\n\n\n                                                   7\n\n\x0c      OCFO Response:\n      "CFO agrees with the recommendation and will ensure the categorization ofeach security control is\n      defined and the specifIC applications that are part ofBFMS are determined, a new ST&E wUl be\n      conductedfor BFMS as part ofthe Re CM. "\n\nVII. Security Control Self-Assessment\n\n      F1SMA requires that IT security controls of each major application owned by a federal agency\n      be tested on an annual basis. In the years that an independent ST&E is not being conducted on\n      a system, the system\'s owner must conduct an internal self-assessment of security controls.\n\n      The designated security officer (DSO) for BFMS conducted a self-assessment of the system in\n      March 2009. The assessment included a review of the relevant management, operational, and\n      technical security controls outlined in the NIST SP 800-53 Revision 2. However, as mentioned\n      in section I, the OCFO does not have a clearly defined list of the sub-applications that are part\n      ofBFMS; therefore, the DSO could not have known all specific applications for which to test\n      the security controls.\n\n      In addition, although the BFMS self-assessment indicated that there were zero security\n      weaknesses in the system, an OIG review of the same security controls indicated that\n      weaknesses do exist (see section XI, below).\n\n      Recommendation 6\n      Once the specific applications that are part of BFMS are determined, a new self-assessment of\n      security controls should be conducted for BFMS.\n\n      OCFO Response:\n      "CFO agrees with the recommendation and willprovide a new assessnrent ofthe security\n      controls will be conductedfor BFMS by August 6,1010."\n\nVIII. Contingency Planning and Contingency Plan Testing\n\n      NIST SP 800-34, Contingency Planning Guide for IT Systems, states that effective\n      contingency planning, execution, and testing are essential to mitigate the risk of system and\n      service unavailability. The OPM IT security policy requires that OPM general support systems\n      and major applications have viable and logical disaster recovery and contingency plans, and\n      that these plans be annually reviewed, tested, and updated.\n\n      Contingency Plan\n\n      The BFMS Contingency Plan documents the functions, operations, and resources necessary to\n      restore and resume BFMS operations when unexpected events or disasters occur. Although the\n      BFMS contingency plan closely follows the format suggested by NIST SP 800-34 guidelines,\n      several areas of the contingency plan could be improved.\n\n\n\n                                                     8\n\x0cThe "recovery operations" section of the BFMS contingency plan outlines high level steps\nrequired to recover the system using alternate resources in a disaster situation. During the\nfieldwork phase of this audit, the OCFO described to OIG auditors several procedures that the\nOCFO is responsible for in a disaster recovery operation, including:\n\xe2\x80\xa2\t Running test scripts and comparing "before" and "after" screenshots of the application to\n   ensure the integrity of restored applications;\n\xe2\x80\xa2\t Notifying OPM\'s Data Center Group of the results of these tests; and\n\xe2\x80\xa2\t Communicating the status of recovery operations to external parties.\n\nHowever, the BFMS contingency plan does not contain specific instructions for perfonning\nthese steps of the recovery operation. Furthermore, as mentioned in section I, the OCFO does\nnot have a clearly defined list of the sub-applications that are part of BFMS, and therefore the\nrecovery procedures could not have had an adequately defined scope. As a result, there are\nBFMS applications for which the disaster recovery operations have not been tested.\n\nIn addition, although recovery teams and personnel have been identified in the BFMS\ncontingency plan, the plan only lists the job title of each member, and does not specify the\nroles and responsibilities assigned to each individual or team. NIST SP 800-34 states that the\n"responsibilities" section of a contingency plan must detail the teams and personnel trained to\nrespond to a disaster. Team members must be listed with their corresponding responsibilities\nand tasks.\n\nRecommendation 7\nWe recommend that the restoration procedures section of the BFMS contingency plan be\nexpanded to include specific details of each step required by OCFO personnel to recover each\nsub-application of BFMS in a disaster situation.\n\nOCFO Response:\n"CFO agrees with the recommendation and will expand the IT contingency plan to include\nspecifu: details for each step required by CFO personnel to recover each sub-application of\nBFMS by August 6, 2010."\n\nRecommendation 8\nWe recommend that the OCFO document the specific roles and responsibilities of teams and\nteam members assigned contingency response procedures in the responsibilities section of the\ncontingency plan.\n\nOCFO Response:\n"CFO agrees with the recommendation and will expand the IT contingency plan to include\nspecifu: details for each step required by CFO personnel to recover each sub-application of\nBFMS by August 6,2010. This will be done in aform ofaddendum."\n\n\n\n\n                                               9\n\x0c    Contingency Plan Test\n\n    NIST SP 800"34, Contingency Planning Guide for Information Technology, provides guidance\n    for conducting and documenting contingency plan testing. Contingency plan testing is a\n    critical element of a viable disaster response capability.\n\n    In FY 2009, the OCFO conducted a table top review of the BFMS contingency plan. However,\n    the OCFO did not conduct a scenario-based contingency plan test (to include critical elements\n    such as scope, scenario, objectives, logistics, time frame, and participants) as required by\n    NIST.\n\n    Recommendation 9\n    We recommend that the OCFO conduct a scenario-based contingency plan test in accordance\n    with NIST SP 800-34 guidelines.\n\n    OCFO Response:\n    "CFO agrees with the recommendation and will conduct a scenario based contingency plan\n    test in accordance with NIST 800-34 guidelines by August 17,2010."\n\nIX. Privacy Impact Assessment\n\n   . The E-Governrnent Act of 2002 requires agencies to perform a screening of federal\n     information systems to determine if a Privacy Impact Assessment (PIA) is required for that\n     system. OMB Memorandum M-03-22 outlines the necessary components of a PIA. The\n     purpose of the assessment is to evaluate any vulnerabilities of privacy in information\n     systems and to document any privacy issues that have been identified and addressed.\n\n    The OCFO completed an initial screening of the BFMS system and determined that a PIA was\n    required for this system. In August 2007, a PIA of the system was conducted in accordance\n    with the guidelines and template of the OPM PIA guide. A summary of the BFMS PIA is\n    available on OPM\'s website.\n\n    However, OPM\'s PIA guide is missing several elements required by the OMB Memorandum.\n    Consequently, the BFMS PIA is missing these elements as well. The OMB Memorandum\n    states that PlAs must identifY what choices the agency made regarding an IT system or\n    collection of information as a result of performing the PIA. In addition, PIAs for major\n    applications should reflect more extensive analyses of: consequences of collection and flow of\n    information; the alternatives to collection and handling as designed; the appropriate measures\n    to mitigate risks identified for each alternative; and the rationale for the fmal design choice or\n    business process.\n\n    In addition, there is no evidence that the BFMS PIA has been reviewed by the system owner on\'\n    an annual basis, as required by OMB.\n\n\n\n\n                                                   10\n\x0c      Recommendation 10\n      We recommend that the OCFO conduct a PIA for BFMS that includes all of the required\n      elements from OMB Memorandum M-03-22.\n\n      QCFQ Response:\n      "CFQ agrees with the recoltUlU!ndation and will update the PIA to have the required\n      elementsfor BFMS by August 6, 2010. "\n\n      Recommendation 11\n      We recommend that the OCFO review the BFMS PIA on an annual basis and submit evidence\n      of this review to the OCIO.\n\n      OCFQ Response:\n      "CFQ agrees with the recoltUlU!ndation and will update the PIA to have the required\n      elementsfor BFMS by August 6,2010."\n\nx.\t   Plan of Action and Milestones Process\n\n      A Plan of Action and Milestones (POA&M) is a tool used to assist agencies in identifying,\n      assessing, prioritizing, and monitoring the progress of corrective efforts for IT security\n      weaknesses. OPM has implemented an agency-wide POA&M process to help track known IT\n      security weaknesses associated with the agency\'s information systems.\n\n      The OIO evaluated the BFMS POA&Mand verified that it follows the format ofOPM\'s\n      template, and has been routinely submitted to the ocro for evaluation. We also determined\n      that the POA&M contained action items for all security weaknesses identified through various\n      security control tests and audits.\n\n      Nothing came to our attention during this evaluation to indicate that there are any current\n      weaknesses in the OCFO\'s management ofPOA&Ms.\n\nXI. mST SP 800-53 Evaluation\n\n      NIST SP 800-53 Revision 2, Recommended Security Controls for Federal Information\n      Systems, provides guidance for implementing a variety of security controls for information\n      systems supporting the federal government. As part of this audit, the 010 determined whether\n      a subset of these controls had been adequately implemented for BFMS, including:\n      \xe2\x80\xa2\t AC-2 Account Management                     \xe2\x80\xa2   IA-I Identification and Authentication\n      \xe2\x80\xa2\t AC-7 Unsuccessful Login Attempts            \xe2\x80\xa2   IA-4 Identifier Management\n      \xe2\x80\xa2\t AC-II Session Lock                          \xe2\x80\xa2   IA-5 Authenticator Management\n      \xe2\x80\xa2\t AC-13 Supervision and Review -              \xe2\x80\xa2   MP-6 Media Sanitization and Disposal\n         Access Control                              \xe2\x80\xa2   CM-6 Configuration Settings\n      \xe2\x80\xa2\t AU-2 Auditable Events                       \xe2\x80\xa2   PL-4 Rules of Behavior\n\n\n                                                    11\n\x0c\xe2\x80\xa2\t   AU-3 Content of Audit Records               \xe2\x80\xa2    PL-6 Security-Related Activity Planning\n\xe2\x80\xa2\t   AU-6 Audit Monitoring, Analysis, and        \xe2\x80\xa2    PS-2 Position Categorization\n     Reporting\n\xe2\x80\xa2    AU-8 Time Stamps                            \xe2\x80\xa2    PS-4 Personnel Termination\n\xe2\x80\xa2\t   CA-3 Information System Connections         \xe2\x80\xa2    PS-5 Personnel Transfer\n\xe2\x80\xa2\t   CM-2 Baseline Configuration                 \xe2\x80\xa2    PS-6 Access Agreements\n\xe2\x80\xa2\t   CM-3 Configuration Change Control           \xe2\x80\xa2    RA-5 Vulnerability Scanning\n\xe2\x80\xa2\t   CM-4 Monitoring Configuration               \xe2\x80\xa2    SA-3 Life Cycle Support\n\nThese controls were evaluated by interviewing individuals with BFMS security\nresponsibilities, reviewing documentation and system screenshots, viewing demonstrations\nof system capabilities, and conducting tests directly on the system.\n\nAs mentioned in section I, the OCFO does not have a clearly defined list of the sub\xc2\xad\napplications that are part ofBFMS. The OIG\'s evaluation was based on the OCFO\'s\ninventory ofBFMS applications during the fieldwork phase of this audit, and therefore may\nnot represent the effectiveness of security controls for all BFMS applications.\n\nAlthough it appears that the majority ofNIST SP 800-53 security controls have been\nsuccessfully implemented for BFMS, several tested controls were not fully satisfied.\n\na)\t Account Management (AC-2)\n\n     The OCFO does not conduct reviews of the user accounts of BFMS applications.\n     Although the initial access established for a BFMS user is reviewed and approved,\n     there are no periodic audits of user accounts to ensure that each user\'s specific access\n     rights and privileges remains appropriate.\n\n     NIST SP 800-53 Revision 2 control AC-2 requires information system owners to\n     periodically (at least annually) review information system accounts. Failure to\n     routinely review user accounts increases the risks that users have access to information\n     that is not directly related to their job function.\n\n     Recommendation 12\n     We recommend that the OCFO establish a formal process for reviewing user accounts\n     for appropriateness for each application that makes up BFMS.\n\n     OCFO Response:\n     "CFO agrees with the recommendation and will revise the BFMS account\n     management to include the lists received by the OCIO IT security team. This should\n     be completed by August 6, 2010."\n\nb)\t Auditing (AU-2, AU-3, AU-6)\n\n     Application level auditing has not been established for BFMS applications.\n\n\n                                                12\n\n\x0c   In order to access BFMS applications, a user must authenticate to the mainframe\n   through its security software, IBM\'s Resource Access Control Facility (RACF).\n   OPM\'s OCIO has procedures for logging and auditing users that authenticate to RACF.\n   However, the OCIO does not log user authentications to the BFMS applications, or user\n   activity within those applications. Without such logs, the OCFO is unable to audit user\n   access and activity for BFMS.\n\n   NlST SP 800-53 Revision 2 requires that:\n   \xe2\x80\xa2\t An information system generates audit records for a series of predefined events\n      (control A U-2, Auditable Events);\n   \xe2\x80\xa2\t Audit records" contain sufficient information to establish what events occurred, the\n      sources of the events, and the outcomes of the events" (control AU-3, Content of\n      Audit Records);\n   \xe2\x80\xa2\t The system owner "regularly reviews/analyzes information system audit records for\n      indications of inappropriate or unusual activity" (control AU-6 Audit Monitoring,\n      Analysis, and Reporting).\n\n   Failure to adequately log and audit activity within each BFMS application increases the\n   risk that unauthorized user activity occurs undetected.\n\n   Recommendation 13\n   We recommend that the OCFO develop a clearly defined list of user activity that should\n   be logged for each BFMS application and then implement the technical controls to\n   begin logging this activity. Once the logging capability has been implemented, the\n   OCFO should routinely audit/review the log activity.\n\n   OCFO Response:\n   "CFO agrees with the recommendation and will work with C/O/BS and the security\n   OffICe in determining a mechanismfor this process. We will revise the BFMS account\n   management process to include the lists received by the c/o security OffICe. This\n   should be completed by August 6, 2010. "\n\nc)\t Rules of Behavior (pL-4)\n\n   All individuals accessing OPM\'s network environment and the applications that reside\n   within it must sign a "Computer User Responsibilities Statement" that outlines the\n   appropriate use of the agency\'s IT resources. However, BFMS users are not required to\n   sign a Rules of Behavior document specific to the BFMS applications.\n\n   NIST SP 800-53 Revision 2 requires that "The organization establishes and makes\n   readily available to all information system users, a set of rules that describes their\n   responsibilities and expected behavior with regard to information and information\n   system usage. The organization receives signed acknowledgment from users indicating\n\n\n\n                                              13\n\n\x0c   that they have read, understand, and agree to abide by the rules of behavior, before\n   authorizing access to the information system and its resident information."\n\n   Recommendation 14\n   We recommend that a formal Rules of Behavior document be developed for each\n   BFMS application and that it be signed by all new and existing users.\n\n   OCFO Response:\n   "CFO agrees with the recommendation to implenrent rules ofbehaviorfor BFMS\n   that is compliont with the C/O policy. This recommendation wiU be completed by\n   August 6,20/0."\n\nd) Personnel Termination (p8-4)\n\n   Five user accounts for one of the BFMS applications, the Federal Financial System,\n   remained active after the individual\'s employment was terminated. Each of these\n   user\'s RACF accounts had been deactivated by the OCIO, which would have prevented\n   them from accessing the system after their termination. However, disabling the\n   application level accounts provides an extra layer of control to ensure that unauthorized\n   users cannot access the system.\n\n   NIST SP 800-53 Revision 2 control PS-4 states that information system access should\n   be immediately disabled upon termination of an individual.\n\n   Recommendation 15\n   We recommend that the OCFO implement a process for periodically reviewing user\n   accounts for each BFMS application to ensure that no terminated employees have\n   active access.\n\n   OCFO Response:\n   "CFO agrees with the recommendation and will revise the BFMS account\n   managenrent procedures from last year. The revised BFMS account managenrent\n   procedures wiU contain a separate paragraph for terminating employees. This\n   recommendation wiU be completed by July 3/, 2010."\n\n\n\n\n                                             14\n\n\x0c                        Major Contributors to this Report\n\nThis audit report was prepared by the U.S. Office of Personnel Management, Office of\nInspector General, Information Systems Audits Group. The following individuals\nparticipated in the audit and the preparation of this report:\n\n\xe2\x80\xa2\n\xe2\x80\xa2                     Senior Team Leader\n\xe2\x80\xa2                IT Auditor\n\n\n\n\n                                          15\n\n\x0c                                             Appendix\n\nu.s. OFFICE OF PERSONNEL MANAGEMENT\nOFFICE OF TIlE INSPECTOR GENERAL\nWASHINGTON, DC\n\nREpORT No. 4A-CF-00-I0-018\n\nAudit ofthe Information Technology Security Controls ofthe US Office of Personnel\nManagement Benefits Financial Management System\n\nCHIEF FINANCIAL OFFICER RESPONSE - JUNE 15,2010:\n\n\n\n\nCFO Response to OIG Draft Audit Report 4A-CF-OO-IO-018\n\n\nRecommendation 1\n\nWe recommend that CFO develop a clearly defined list of applications that are part ofBFMS.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will provide a clearly defmed list of applications\n\nrelated to BFMS by July 31, 2010.\n\n\nRecommendation 2\n\nWe recommend that the CIO review all applications dropped from the BFMS umbrella of systems and\n\nappropriately add them to OPM\'s system inventory.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will review all applications in conjunction with the\n\nCIO that do not belong to BFMS wnbrella of systems by July 31, 2010.\n\n\nRecommendation 3\n\nWe recommend that the system interconnection section of the BFMS ISSP be revised to include\n\nimportant identifiers of the interconnected systems (FIPS 199 categorization, C&A status, and the\n\nauthorizing official).\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will work with the CIO in conjunction to determine\n\nidentifiers of the interconnected systems by August 6, 2010.\n\n\nRecommendation 4\n\nWe recommend that CFO and CIO determine whether each NIST SP 800-53 security control applicable\n\nto BFMS is common, application specific or hybrid.\n\n\x0cAction by the CFO:\n\nCFO agrees with the recommendation. The CIO Information Technology Security Officer (ITSO) will\n\ndetermine the agency wide common security controls. The CFO will determine whether the security\n\ncontrols are BFMS application specific or hybrid by August 17,2010.\n\n\nRecommendation 5\n\nWe recommend that once the categorization of each security control is defmed and the specific\n\napplications that are part ofBFMS are determined, a new ST&E should be conducted for BFMS.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will ensure the categorization of each security control is\n\ndefmed and the specific applications that are part of BFMS are determined, a new ST&E will be\n\nconducted for BFMS as part of the Re C&A.\n\n\nRecommendation 6\n\nWe recommend once the specific applications are defmed for BFMS, a new assessment of security\n\ncontrols should be conducted for BFMS.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will provide a new assessment of the security controls\n\nwill be conducted BFMS by August 6, 2010.\n\n\nRecommendation 7\n\nWe recommend that the restoration procedures section ofthe BFMS contingency plan be expanded to\n\ninclude specific details of each step required by CFO personnel to recover each sub-application of BFMS\n\nin a disaster situation.\n\n\nAction by the CFO;\n\nCFO agrees with the recommendation and will expand IT contingency plan to include specific\n\ndetails for each step required by CFO personnel to recover each sub-application of BFMS by\n\nAugust 6, 2010.\n\n\nRecommendation 8\n\nWe recommend that CFO document the specific roles and responsibilities ofteams and team members\n\nassigned contingency response procedures in the responsibilities section of the contingency plan.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will expand IT contingency plan to include specific\n\ndetails for each step required by CFO personnel to recover each sub-application of BFMS by\n\nAugust 6, 2010. This will be done in a form of addendum.\n\n\nRecommendation 9\n\nWe recommend OCFO conduct a scenario based contingency plan test in accordance with NIST SP 800\xc2\xad\n\n34 guidelines.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will conduct a scenario based contingency plan test in\n\naccordance with NIST 800-34 guidelines by August 17, 2010.\n\n\x0cRecommendation 10\n\nWe recommend CFO conduct a PIA for BFMS that includes all ofthe required elements from OMB\n\nmemorandum M-03-22.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will update the PIA to have the required elements for\n\nBFMS by August 6, 2010.\n\n\nRecommendation 11\n\nWe recommend CFO review the BFMS PIA on an annual basis and submit evidence of this review to\n\nCIO.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation and will update the PIA to have the required elements for\n\nBFMS by August 6,2010.\n\n\nRecommendation 12\n\nWe recommend that a formal process for reviewing user accounts for appropriateness for each application\n\nthat makes up BFMS.\n\n\nAction by the CFO\n\nCFO agrees with the recommendation and will revise the BFMS account management to include\n\nthe lists received by the OCIO IT security tearn. This should be completed by\n\nAugust 6, 2010.\n\n\nRecommendation 13\n\nWe recommend that CFO develop a clearly defmed list of user activity that should be logged for each\n\nBFMS application and then implement the technical controls to begin logging this activity. Once the\n\nlogging capability has been implemented, CFO should routinely audit/review the log activity.\n\n\nAction by the CFO\n\nCFO agrees with the recommendation and will work with CIO/ BS and the security office in\n\ndetermining a mechanism for this process. We will revise thC1 BFMS account management\n\nprocess to include the lists received by the CIO security office. This should be completed by\n\nAugust 6,2010.\n\n\nAuthentication is performing by RACF but authorization is performed by Natural Security. DC\n\nsecurity team will meet with BS and CFO to establish a procedure for this process.\n\n\nRecommendation 14\n\nWe recommend that a formal Rules of Behavior document be developed for each BFMS application, and\n\nthat it be signed for all new and existing users.\n\n\nAction by the CFO:\n\nCFO agrees with the recommendation to implement rules of behavior for BFMS that is\n\ncompliant with the CIO policy. This recommendation will be completed by August 6,2010.\n\n\x0cRecommendation 15\nWe recommend that the CFO implement a process for periodically reviewing user accounts for each\nBFMS application to ensure that no terminated employees have active access.\n\nAction by the CFO:\nCFO agrees with the recommendation and will revise the BFMS account management\nprocedures from last year. The revised BFMS account management procedures will contain a\nseparate paragraph for terminating employees. This recommendation will be completed by July\n31,2010.\n\nThis control is already in place. Data Center security team on a weekly basis receives a\nSeparation file provided by OPM\'s personnel office. DC security team compares the file\nreceived from HR with the information in the RACF database and if there is a match the Userid\nis removed from the system. DC security team has implemented a procedure by which they pass\nthe information regarding employees separating from OPM and inter-agency employee transfers\nto the Help Desk and all the program office DSOs for action.\n\x0c'